TweakTown

'BREACH' can hack HTTPS in 30 seconds, nothing is secure

Latest hack can get HTTPS data within 30 seconds.

@anthony256
Anthony Garreffa
Published Tue, Aug 6 2013 8:19 AM CDT   |   Updated Tue, Jun 16 2020 4:29 PM CDT

One would think this is fear mongering, but it's real, and it's here. Security experts are now warning website operators to test their HTTPS traffic, as it might be vulnerable to a new crypto attack that can be used to take users' information.

'BREACH' can hack HTTPS in 30 seconds, nothing is secure | TweakTown.com

The attack is called Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext, or BREACH, and was detailed in a Department of Homeland Security (DHS) "BREACH vulnerability in compressed HTTPS" advisory issued on Friday. The DHS warned that "a sophisticated attacker may be able to derive plaintext secrets from the ciphertext in an HTTPS stream."

The vulnerability was exposed last Thursday at the Black Hat conference in Las Vegas by Salesforce.com Lead Product Security Engineer, Neal Harris, along with Salesforce.com Lead Security Engineer, Yoel Gluck. Their HTTPS crypto attack can watch "the size of the cipher text received by the browser while triggering a number of strategically crafted requests to a target site" according to exploit details provided to the DHS by Prado.

He said: "To recover a particular secret in an HTTPS response body, the attacker guesses character by character, sending a pair of requests for each guess. The correct guess will result in a smaller HTTPS response. In practice, we have been able to recover CSRF tokens with fewer than 4,000 requests. A browser like Google Chrome or Internet Explorer is able to issue this number of requests in under 30 seconds, including callbacks to the attacker command and control center."

This reportedly only affects compressed HTTPS traffic, but there needs to be attention bought to the security of our privacy. You can read more on this scary new security breach, here.

Anthony is a long time PC enthusiast with a passion of hate for games built around consoles. FPS gaming since the pre-Quake days, where you were insulted if you used a mouse to aim, he has been addicted to gaming and hardware ever since. Working in IT retail for 10 years gave him great experience with custom-built PCs. His addiction to GPU tech is unwavering.

Related Tags

Newsletter Subscription

Latest News

View More News

Latest Reviews

View More Reviews

Latest Articles

View More Articles